[AsteriskBrasil] Fwd: [asterisk-dev] Asterisk 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1 Now Available (Security Release)

Sylvio Jollenbeck sylvio.jollenbeck em gmail.com
Quinta Junho 12 23:39:11 BRT 2014


---------- Mensagem encaminhada ----------
De: "Asterisk Development Team" <asteriskteam em digium.com>
Data: 12/06/2014 17:40
Assunto: [asterisk-dev] Asterisk 1.8.15-cert6, 1.8.28.1, 11.6-cert3,
11.10.1, 12.3.1 Now Available (Security Release)
Para: <asterisk-dev em lists.digium.com>
Cc:

The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security
releases are released as versions 1.8.15-cert6, 11.6-cert3, 1.8.28.1,
11.10.1,
and 12.3.1.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following issue:

* AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP
                Connections

  Establishing a TCP or TLS connection to the configured HTTP or HTTPS port
  respectively in http.conf and then not sending or completing a HTTP
request
  will tie up a HTTP session. By doing this repeatedly until the maximum
number
  of open HTTP sessions is reached, legitimate requests are blocked.

Additionally, the release of 11.6-cert3, 11.10.1, and 12.3.1 resolves the
following issue:

* AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized
                Shell Access

  Manager users can execute arbitrary shell commands with the MixMonitor
manager
  action. Asterisk does not require system class authorization for a manager
  user to use the MixMonitor action, so any manager user who is permitted
to use
  manager commands can potentially execute shell commands as the user
executing
  the Asterisk process.

Additionally, the release of 12.3.1 resolves the following issues:

* AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe
                Framework

  A remotely exploitable crash vulnerability exists in the PJSIP channel
  driver's pub/sub framework. If an attempt is made to unsubscribe when not
  currently subscribed and the endpoint's “sub_min_expiry†is set to zero,
  Asterisk tries to create an expiration timer with zero seconds, which is
not
  allowed, so an assertion raised.

* AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions

  When a SIP transaction timeout caused a subscription to be terminated, the
  action taken by Asterisk was guaranteed to deadlock the thread on which
SIP
  requests are serviced. Note that this behavior could only happen on
  established subscriptions, meaning that this could only be exploited if an
  attacker bypassed authentication and successfully subscribed to a real
  resource on the Asterisk server.

These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities, please read
security advisories AST-2014-005, AST-2014-006, AST-2014-007, and
AST-2014-008,
which were released at the same time as this announcement.

For a full list of changes in the current releases, please see the
ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert6
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.1
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert3
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.1

The security advisories are available at:

 * http://downloads.asterisk.org/pub/security/AST-2014-005.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-006.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-007.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-008.pdf

Thank you for your continued support of Asterisk!



--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20140612/05b8ea0c/attachment.htm 


Mais detalhes sobre a lista de discussão AsteriskBrasil